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(54) TiOe: AN AUTHENTICATION METHOD 
(57) Abstract 

An authentication method for authenticating communication between a firet « 
by said first and second parties comprising the steps of calculating by the trusted thit 
a paramater of the first party and a second authentication output using the firet authei 
output to the second party; calculating by the first party 'the first authentication ouj 
second party; and calculating by the second party the second authentication output [ 
the first party and comparing the calculated second authentication output with the 
third party whereby if the two second authentication outputs are the same, the firet 



a second party using a third party which is trusted 
party the value of a first authentication output using 
tication output and sending the second authentication 
Jit and sending the first authentication output to the 
|scd on the first authentication output received from 
'^nd authentication output received from the trusted 
~ is authenticated. 
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AN AUTHENTICATION: METHOD 

The present invention relates to an authentication method for use 
for example, but not exclusively, in wireless cellular 
telecommunication networks and also/ to a system using this 
method: 

A typical cellular wireless network r is shown in Figure 1. The 
area covered by the network is divided into a number of cells 2. 
Each cell 2 is served by a base transceiver station 4 which 
transmits signals to and receives Signals from . terminals 6 
located in the respective cell associated with a particular base 
transceiver station 4 . The terminals may be mobile stations which 
are able to move between cells 2 . As the transmission of signals 
between the terminal 6 and the base transceiver stations 4 is via 
radio waves, it is possible for unauthorised third parties to 
receive those signals. : 

Accordingly, in known wireless cellular, networks, authentication 
is provided to identify the right mobile and ciphering is used to 
prevent third parties from listening in. Illustrated in Figure 2 
is the procedure carried out in the GSM; .(Global System for Mobile 
communications) standard. In the fir$t step SI, the mobile 
station MS makes a request to a mobile .| services switching centre 
(MSSC) via the base station for an outgoing call. A visitor 
location register (VLR) is informed ^yia the mobile services 
switching centre of this request . The IVLR takes control of the 

authentication procedure.' ' ; 

I • 

Each mobile terminal is provided with lan identification number 
which is sometimes referred to, in a GSM standard, as the IMSI 
(International mobile subscriber ident;ity) number- The MSSC 
forwards the mobile's IMSI to the VLR. Information on the IMSI is 
initially provided by the mobile station! The VLR then sends, in 
the second step S2, the IMSI together with the identity of the 
VLR to the home location register HLR of the mobile. This ensures 
that any incoming calls can be directed- to the mobile station at 
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communication between a first and a second party using a third 
party which is trusted by said first and second parties 
comprising the steps of calculating by the trusted third party 
the value of a first authentication output using a parameter of 
the first party and a second authentication output using the 
first authentication output and sending the second authentication 
output to the second party; calculating by the first party the 
first authentication output and sendirig the first authentication 
output to the second party; and calculating by the^ second party 
the second authentication output-^ based on the first 
authentication output received from the' first party and comparing 
the calculated second authentication; output with the second 
authentication output received from the trusted; third party 
whereby if the two second authentication outputs are the same, 
the first party is authenticated. 

The method may comprise the steps of calculating by the first 
party the value of the second authentication output, sending the 
value of the second authentication output calculated by the 
trusted third party to said first party and comparing at the 
first party the " calculated value of tihe second authentication 
output calculated by the first party anck the value of the second 
authentication output connected by thei ' third party whereiby the 
second party is authenticated. : 

I 

r 

Preferably, the value of the second, authentication output 
calculated by the trusted third party i!s^ sent to the: first party 
by the second station. ' 

Preferably at least one and more prefer^'bly both of the first and 
second authentication outputs are the outputs of a hash function. 
The use of a double hash function is particularly advantageous in 
providing a secure method of communicatiion . 

i 

Both of the first and second hash funqtjion are preferably one 
way. This means that it is virtually impossible for a- third party 
to determine the value of the at least one parameter .; Preferably, 
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The trusted further party preferably hats a secure connection with 
the second party- 

Preferably the identity of at least one party is only sent to the 
other party in an encoded form. For e:x;ample, the identity may be 
included within one of the first and second authentication 
outputs. Alternatively the identity may be sent in a separately 
encrypted form. Since the identity of ; a party is important in 
retaining secure communication, it is important that unauthorised 
third parties be not be able to obtain^ any identity of the first 
or the second party. - . 

Preferably, the method is used in a telecommunications network 
which may be wired or a wireless network. One of the first and 
second parties may be a mobile station i whilst the other may be a 
base station. 

According to a second aspect of the present invention, there is 
provided an authentication method for authenticating 
communication between a first and a second party comprising the 
steps of calculating the value of a . jfirst hash function of a 
second hash function using at least one! parameter; sending the 
calculated value of the first hash function of the second hash 
function from the first party to the sefcond party, said second 
party being provided with a separately! calculated value of the 
first hash function of the second hash function using the same at 
least one parameter; and comparing thej-^alue of the first hash 
function of the second hash function received from the first 

party with the separately calculated value of the first hash 
function of the second hash function, whereby if the two values 

'are the same, the first party is authenticated. 

For a better understanding of the present 'invention and as to how 
the same may be carried into effect, reference will now be made 
by way of example to the accompanying drawings in which:- 



wo 00/48358 



PCT/EPOO/01076 

7 : 



remainder when divided by the modulus n is used. 

5 • generator of Dif f ie-H^llman key exchange, g can 

be any suitable int;^ger between 2 and n-1 
inclusive. ! 

^' y " random exponents used :in the Dif f ie-Hellman key 

exchange. In other words, g is raised to the 
power of X and/or y. 

^' • random numbers, also referred to as nonces.- 

Typically these random numbers are changed 
regularly. ; 

^' security parameters - which include information 

as to the available ciphers, hash functions etc. 

> I 

SIGa((P) - signature SIG of <p by A'^s signature key. 

E,c(9) - q> encrypted using key k'. 

hash[X] ((p) - parametrized hash function with a constant 

parameter X. In other words, the hash function 
varies in accordance with a given parameter X. 
The value of the parameter can of course vary. 

<p|x - concatenation (i.e. putting two items together 

one after the other) of '<p and X. 

(p,X - concatenation of (p and X. 

Embodiments of the present invention use ; signature functions SIG 
having the following features. SIG^Ccp) should only be computable 
by A and principals authorised by A only, assuming ' that (p has 
previously been chosen and (p has not previously been signed. In 
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X determines the hash function and because X only determines the 
functions used it does not need to be secret. Indeed, the 
parameters X may be publicly known and fixed for a long period of 
time . 

The protocols which will be described hereinafter are used to 
perform key exchange, key reexchange .and mutual authentication. 
In summary, the mobile station MS and the network or base 
transceiver station BTS perform an initial key exchange protocol 
in order to obtain a shared secret S .as a result of a Diffie- 
Hellman key exchange. This shared secret S is g'^^mod n. The 
parties also exchange a pair of random numbers R, R' . The 
concatenation of the shared secret S and the two nonces provide 
the key material. Different keys are 'derived from key material 
using different parametrized hash ' functions. Rekeying is 
performed by exchanging a new pair of random numbers . 

Keys for encrypting further communications can also be created 
using the following formula: k=hash [T]' (jg'^mod nUlR*) where T is 
a unique parameter. T can be public or fixed and can be used once 
or more than once. ' 

During the initial key exchange protocol, security parameters P 
are exchanged. These security parameter^ are used to inform the 
other party about the available ciphers; hash functions etc. 

Dif f ie-Hellman key. exchange is a way to ;e:stablish a shared secret 
between two parties. When using modular; arithmetic,' it is very 
hard to compute the value of x when only g"" is known. Normally, 
computing x from g" means computing the ; logarithm of g"* and this 
is easy. However, in modular arithmetic; the situation changes 
dramatically; it is not known how to compute x from g''. 

In Dif fie Hellman key exchange therefore two parties establish a 
shared secret in the following way. The !f irst party sends "g^" . 
The second party sends "g^". Here x is 'known only by the first 
party and y is known only by the second p4rty. However the values 
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The signature SIGg provided in the second message by the base 
transceiver station is as follows: 

SIGeChashlSIGl] (n|gjg''|g>'|g^|pjp. )r)r. |b).) 
B is the identity of the base transceiver station. 

A temporary key k is computed from the s^iared secret and the 



included in the temporary 
the same shared secret. 



random numbers. The random numbers are 
key so that rekeying can occur using 
Rekeying occurs when a new temporary key is generated. As will be 
described in more detail hereinafter, rekeying can be achieved by 
providing new random numbers R and R'i. The temporary key k is 
equal to hash [TKEY] (g^^mod n|R|R'), • 

The mobile station carries out a verify function in respect of 
the signature SIG^. The verify function and the signature 
function are related so that given the! value of the signature 
function, the verify function provides dn accept or reject value. 
Accept means that the signature is accepitled and reject means that 
the signature is invalid. In other worji^ the mobile station is 
arranged to verify the signature which ^it receives . 

i ■ 

In step A3/ the message which is sent ftc^m the mobile station MS 
to the base transceiver station is encryijted using the temporary 
key. In the encrypted message, the identity of the mobile user U 
is included. Thus, the identity of the usjer U is only sent in an 
encrypted form. The encrypted identity is represented by E,,(U) . 
Along with the encrypted identity, the iriobile station also sends 
a signature SIG^, similar to that sent from the base transceiver 
station to the mobile station in step A2 J However, that signature 
is encrypted. The encrypted signature is represented by the 
following : 

E^(SIG„(hash[SIG2] (n | g | g'^ | g^ | g'^ | P j P • |r|R' |b|U) ) ) . 

As can be seen, the identity of the mobile user is included in 
the signature. Encryption of the signature is not essential 
although the mobile's identity is encrypted and it may be more 
convenient also to encrypt the signa;ture. -It should be 
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the base transceiver station BTS ' sends the following 
authenticating hash function to the trusted third party TTP: 
hash[AUTH] (n|g|g-|gy|g-/ (i}|p. |R|R, |B|u) 

The identity of the mobile user U is already knovm by the trusted 
third party. This may be achieved in any suitable way. 

In embodiments of the present invention, it is preferred to send 
the hash of g--' rather than the encryption key k. As the 
encryption key k is probably shorter than , it i^ thus easier- 
to attack. First shared secret data mod n is assumed to be 
shared by the base station and the molDile but by no-one else. 
There is a second, long term, shared ! secret between the base 
station and the mobile phone which is distributed offline. This 
long term secret may be in the SIM card of the mobile phone or 
the like. The first secret g'^ modn ufeed to get a session key 

whilst the second secret is used so that, the mobile phone is able 

to authenticate the base station. ', 

In the fifth step B5, the trusted third 'party computes a hash of 
the secret from the shared secret data! concatenated with hash 
[AUTH] which the base transceiver statidq sent thereto. A hash of 
the hash value calculated by the trusted third party is then 
calculated, again by the trusted third ijiarty. The trusted third 
party then sends this finally computed ;hash value to the base 
transceiver station which records this Value. The value sent by 
the trusted third party to the base transceiver station is as 
follows: ■ : 

hashCRESP] (hash(SECj (S | hash [AUTH] (n | g J g* j gi'l g'^y j p | p • j r j r - j b | u) ) ) 

The same value, is then forwarded from; the base transceiver 
station to the mobile station in the sixth step B6 . The mobile 
station is able to compute the value of hash [SEC] directly. The 
mobile station then calculates hash [REjsP] from hash [SEC] and 
thus compares the value of hash [RESP]! i(hash [SEC]) which it 
calculated with the value received from i the trusted third party 
via the base transceiver station. If' the .two values of 
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the same information which is sent • in the key exchange using 
signatures (Figure 3) and also signs! the information. With this 
key exchange, the base station cannot be as sure as to the 
identity of the mobile station with -which it is communicating. 
However, the signature by the base transceiver station ensures 
good key exchange. In other words, . the unidentified mobile 
station can detect if there are any man in the middle of attacks 
and drop the connection if needed. The base station is not able 
to detect man in the middle attacks but it does not need to. In 
particular , the base station will not ; transmit security critical 
information to an unidentified party anyway. This can be used for 
access to piablic networks such as the internet- where the identity 
of the mobile is not required. 

I 

Reference will now be made to Figure j 6 which shows a simple 
rekeying procedure without requiring' Inew authentication. The 
purpose of this protocol is to distrili>i]Lte new random numbers in 
order to perform rekeying. ; 

Re-keying means that a new temporarjf key k for encryption 
purposes can be generated. To avoid the unauthorised deciphering 
of messages between the mobile station and the base station, 
rekeying should occur frequently. ; 

In the first step Dl, the mobile station sends to the base 
transceiver station the new random number R^^w In the second step 
D2, the base transceiver station transmits a second new random 
number R'^ew to the mobile station. With this particular protocol, 
it is not necessary that the random npmbers be kept secret. 
However, the integrity of the random numbers should be protected. 
In other words, the random numbers should not be modified during 
their transmission between the mobile ; station and the base 
transceiver station. This is for issues of quality and not 
security. It is of course possible that the order of the two 
steps Dl and D2 can be reversed, ! 

A new temporary key k can be derived from the equation 
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in the first step Fi , the mobile station sends the new random 
number R„,„ to the base transceiver station. In the second step 
F2, the base transceiver station sends the second new random 
number R-_ to the mobile station aid signs a signature hash 
function as follows; I 

SIG3 (hash [SIGl] (n I g j g- 1 g>' I g'^y j p I p . | r_ | r • b) ) 

The mobile station is able to calculate a new encryption key 
using these new random numbers as oi^itlined hereinbefore. The 
mobile station is also able to authenticate the base station 
using a verification function. : 

The new encryption key k is therefore hashfTKEYj (g'^mod n! Rnew| 
R'new). In the third step F3 , the mobile station sends to the 
base transceiver station an encrypted signature of a hash 
function hash[SIG] having the following form- 

E,(SIG„(hash[SIG2](nlg|g-|g-|g-|p|p.|R_|R:._,B|u))). The signature 
sent by the mobile station is encrypted. This is not essential 
but may be more convenient with other; Information needs to be 
encrypted. The encryption uses the new Encryption key k. The base 
station is able to authenticate the mo^:|.le station by verifying 
the signature. If the verification function is accepted, the 
mobile station is authenticated. 

Reference will now be made to Figure 9 which shows rekeying using 
third party authentication. In the fiirst step Gl, the mobile 
station sends to the base station the identity of the new random 
number R„.„. In the second step G2, the b^se transceiver station 
sends to a trusted third party an authentication hash function 
hashlAUTH] {n|g|g''|g^|g'^|P|P'|R„^jR.„^jBlUy along with the mobile 
identity U. The authentication hash function includes a second 
new random number R'new. As the connection between the base 
station and the trusted third party is secure, there is no need 
to encrypt the identity of the mobile station U. The trusted 
third party computes in the third step G3 a hash [RESP] of a hash 
of the shared secret S which includes the authentication hash 
function and the shared secret and sends this value to the base 
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11 . 
12. 
13. 
14 . 
15. 



Ek (SIG„ (hash [SIG2 J (n 1 g | | q>' I g'^^ I P 
Ek(U) 

hash[AUTH] (n|g|g'^mod n|R|R' IbIu) 
hash[RESP] (hash[SEC] S|hashtAUTHj 
hash [SEC] (Sjhash[AUTH] ( n ( g | g-'-^moc 



As it can be 



seen, some of these 



structure namely messages 2 and 3, messages' 4 and 5, and messages 



ferent types of message. 



6 and 7. This leaves a total of 12 di: 

This protocol family is thus advantageous in that it. allows a 
relatively large number of different protocols to be implemented 
using only a small number of different 
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P' IrIr' Ib|u) ) 
, u 

:n I g I g-^mod n | R I R ' I B I U) ) 
^njR|R' |B|U)) 



messages share a 



common 



Thus, the various different methods 
define a family of methods made up 
messages- It is thus possible, in emL 
invention, to select one of those me 
criteria can be used in deciding which o 
example, the different methods can be 
keying method may always be selected 
method has been previously selected- T 
depending on the processing capability cf 
party (or the trusted third party when 
be selected in dependence on the amoun 
method was used. Alternatively, the met 
on the function provided by the particu!. 
not a trusted third . party is use(fl 
authentication is required and if so wha 



messages 



outlined 



3 2 



1(5 



In the arrangement described hereinbefoie 
described as communicating with the base 
should be appreciated that the communic 
place with any suitable element of thei 
communication will be via the base trans 
words, some of the calculations., described 
base transceiver station in the preferreck 
place in other parts of the network but 
the base transceiver station where 



hereinbefore can 
f a limited number of 
odiments of the present 
hods- Various different 
the methods to use . For 
lected at random. A re- 
only if a key exchange 
method may be selected 
the first and/or second 
o:|rovided) . The method can 
of time since the last 
can be selected based 
method eg, whether or 
and whether or not 
type of authentication.. 



iq>d 



4r 



the mobile station is 
transceiver station. It 
tion can in fact take 
network although this 
iver station. In other 
as taking place in the 
embodiments may take 
4^111 be transferred to 
e . The mobile 



ce 



a pp>ropriat< 
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Embodiments of the present invention 
situations which require authenticati 
wireless communication or communicat 
connections. Embodiments of the pres 
applicable to communication networks 
point to point connections be they wir^a 
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may also be used in other 
cn such as other types of 
(pns which use fixed wire 
^ilt invention are not just 
:3yit are also applicable to 
or wireless connections. 
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5. A method as claimed in claim 4, 
and second authentication outputs 
function and both of said hash funct 



6, A method as claimed in claim 4 oi- 
said hash functions has a value of at 



1 

7. A method as claimed in any of claims 4, 5 or 6, wherein one 
of the hash functions includes a secret which is shared by said 
first and second parties. 



8. A method as claimed in claim 
comprises a Dif f ie-Hellman function. 

9 . A method as claimed in claims 7 
secret is used by at least one party 
between the first and second parties. 
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wherein both of said first 
4re the outputs of a hash 
:Lons are one way. 



5 , wherein at least one of 
least 160 bits in length. 



7, wherein said secret 



or 



to 



10. A method as claimed in any one of 
the shared secret is g'^mod n where 
function, x and y are random numbers aj\d 
Dif f ie-Hellman function. 



11 - A method as claimed in any precedincr 
one random number is used to encrypt cprlimunicat 
first and second parties. 



12 . A method as claimed in claim 11 
encryption function occurs when the at 
changed. 



13 . A method as claimed in any precep 
value of at least one parameter is sent 
the second station. 



8 , wherein the shared 
encrypt communications 



laims 7, & or 9 , wherein 
g is a Dif f ie-Hellman 
n is the modulus of the 



claim, wherein at least 
ions between the 



wherein rekeying of a 
llekst one random number is 



Lng claim, wherein the 
Erom the first station to 



14. A method as claimed in any precep 
value of at least one parameter is sent 



ng claim, wherein . the 
:rom the second station 
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received from the trusted third party 
authentication outputs are the s^m^, 
authenticated. 



23 . A first station as claimed in cl 
station is a mobile station. 

24 . A first station as claimed in cl 
station is a base transceiver station 



25. A first station as claimed in cljaim 22, 23 or 24, wherein 

athentication output from 
station. 



said first station receives the second 
the trusted third party via the seconci 
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whereby if the two second 
the first party is 



aim 22, wherein said first 



aim 22, wherein said first 



26. A wireless telecommunications s]''s 
station as claimed in any of claimsi 
station, wherein said second station is 
first authentication output and i 
authentication output to the first partV 



tem comprising a first 
22 to 25 and a second 
qirranged to calculate the 
transmit the first 
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